Bug 1141949

Summary: Cannot remove Active Directory user accounts using GUI (or cli)
Product: Red Hat Enterprise Linux 7 Reporter: Håkan Hagenrud <hakan.hagenrud>
Component: control-centerAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.2CC: dblechte, ebenes, mclasen, oholy, tpelka, vbenes, vbudikov, vrutkovs
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: control-center-3.14.5-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1244932 1446620 (view as bug list) Environment:
Last Closed: 2015-11-19 08:25:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1446620    

Description Håkan Hagenrud 2014-09-15 20:37:06 UTC 
Description of problem:
My laptop is bound to Active Directory using the realmd package. sssd is the authenticator. Users that login to the graphical user interface or ssh is added to the Users list in gnome-control-center. Nice. But when trying to remove an account to make the GDM list shorter the operation fails.

Version-Release number of selected component (if applicable):
realmd-0.14.6-6.el7.x86_64
sssd-1.11.2-68.el7_0.5.x86_64
control-center-3.8.6-15.el7.x86_64

How reproducible:
every time I try

Steps to Reproduce:
1. Join computer to Active Directory domain (2008 r2 level)
2. Login with user account from Active Directory
3. Login with local admin account
4. Enter Settings from User account menu (top right corner if GNOME3)
5. Locate Users icon in Settings window and click
6. unlock pane by clicking the unlock button and provide correct password for local user
7. Locate useraccount that you wantto remove and select it by clicking on it
8. Now click the minus sign at bottom
9. Click either Delete Files or Keep files (I have tried both)
10. useraccount should be removed from local cache

Actual results:
The useraccount is still in the list and an error-message appears on screen
running '/usr/sbin/userdel' failed: Child process exited with code 1

Expected results:
Useraccount should be removed and the home-folder of the users should either be removed or kept depending on which button you press

Additional info:
This is not a severe bug, only a minor annoyance. But it should work.
Comment 4 Ondrej Holy 2015-06-03 08:30:28 UTC 
*** Bug 1060183 has been marked as a duplicate of this bug. ***
Comment 6 Vladimir Benes 2015-07-14 08:57:41 UTC 
this still seems to be buggy:

1. create ipa setup with an enterprise user (EU)
2. add EU via gnome-initial-setup
3. log in the EU via gdm
4. log out
5. log in other user
6. go to control-center
7. unlock in users area
8. press - to delete EU

no luck, no error, nothing...
Comment 8 Vladimir Benes 2015-07-14 14:12:06 UTC 
(In reply to Vladimir Benes from comment #6)
> this still seems to be buggy:
> 
> 1. create ipa setup with an enterprise user (EU)
> 2. add EU via gnome-initial-setup
> 3. log in the EU via gdm
> 4. log out
> 5. log in other user
> 6. go to control-center
> 7. unlock in users area
> 8. press - to delete EU
> 
> no luck, no error, nothing...

actually it works now.. something had to be incorrect previously. tested under root and wheel user.

moving back to ON_QA
Comment 9 Vladimir Benes 2015-07-14 15:50:04 UTC 
uff, so I have slightly more details, after logging the EU and relogging as other user (non root non wheel) I cannot delete the EU.  so moving back to ASSIGNED
Comment 10 Ondrej Holy 2015-07-15 11:17:05 UTC 
It seems to me it isn't possible to remove enterprise user account once the enterprise user has been logged in to the system (I think it is independent on non root or non wheel). It is also reproducible on Fedora 22.

control-center removes the account from permitted logins using realmd and uncache user from the accountsservice. Account is successfully removed from permitted logins (see "realm list") and also successfully uncached (see "/var/lib/AccountsService/users"). Consequently it isn't possible to log in as the enterprise user anymore, however accountsservice still see the account from some reason...

So I suppose this is rather realmd, or accountsservice bug. Ray, what do you think?
Comment 11 Ondrej Holy 2015-07-15 11:20:16 UTC 
(In reply to Ondrej Holy from comment #10)
> It seems to me it isn't possible to remove enterprise user account once the
> enterprise user has been logged in to the system (I think it is independent
> on non root or non wheel). It is also reproducible on Fedora 22.

However it isn't possible to create new enterprise accounts using control-center in Fedora 22 currently due to:
https://bugzilla.gnome.org/show_bug.cgi?id=752405
Comment 12 Ray Strode [halfline] 2015-07-15 13:30:16 UTC 
presumably the user is in wtmp so showing up that way.
Comment 13 Ray Strode [halfline] 2015-07-20 19:25:20 UTC 
indeed, sudo rm -f /var/log/wtmp makes it start working.

two ideas:

1) make UncacheUser keep the cache file around but mark the user as uncached so the user gets filtered from the results even if wtmp records the user

2) prune the user from wtmp


The latter I don't like since wtmp is a historical record. Anyway the control-center part of this is done and working (provided wtmp gets removed), so will clone for accountsservice
Comment 19 errata-xmlrpc 2015-11-19 08:25:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2157.html